Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gutyán Gábor
/
circlestack
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
0b7b8883
authored
Sep 10, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
dashboard: fix xss in autocomplete
parent
832cfdce
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
8 additions
and
3 deletions
+8
-3
circle/dashboard/autocomplete_light_registry.py
+8
-3
No files found.
circle/dashboard/autocomplete_light_registry.py
View file @
0b7b8883
import
autocomplete_light
import
autocomplete_light
from
django.contrib.auth.models
import
User
from
django.contrib.auth.models
import
User
from
django.utils.html
import
escape
from
django.utils.translation
import
ugettext
as
_
from
django.utils.translation
import
ugettext
as
_
from
.views
import
AclUpdateView
from
.views
import
AclUpdateView
...
@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase):
...
@@ -23,10 +24,14 @@ class AclUserGroupAutocomplete(autocomplete_light.AutocompleteGenericBase):
match
=
None
match
=
None
if
q
and
match
is
not
None
:
if
q
and
match
is
not
None
:
match_end
=
match
+
len
(
q
)
match_end
=
match
+
len
(
q
)
return
(
field
[:
match
]
+
'<span class="autocomplete-hl">'
+
return
(
escape
(
field
[:
match
])
field
[
match
:
match_end
]
+
'</span>'
+
field
[
match_end
:])
+
'<span class="autocomplete-hl">'
+
escape
(
field
[
match
:
match_end
])
+
'</span>'
+
escape
(
field
[
match_end
:]))
elif
none_wo_match
:
return
None
else
:
else
:
return
None
if
none_wo_match
else
field
return
escape
(
field
)
def
choice_displayed_text
(
self
,
choice
):
def
choice_displayed_text
(
self
,
choice
):
q
=
unicode
(
self
.
request
.
GET
.
get
(
'q'
,
''
))
q
=
unicode
(
self
.
request
.
GET
.
get
(
'q'
,
''
))
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment